CVE-2025-54591
BaseFortify
Publication date: 2025-09-29
Last updated on: 2025-10-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freshrss | freshrss | to 1.27.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54591 is a security vulnerability in FreshRSS versions 1.26.3 and below where certain feed and tag related API endpoints lack proper access control checks. This allows unauthenticated users to access sensitive information about feeds and tags of the default admin user. The issue arises because some controllers do not use the standard access enforcement method (firstAction()) or perform manual access checks, leading to exposure of feed IDs, names, tag names, and unread counts without authentication. The vulnerability was fixed in FreshRSS version 1.27.0 by adding the necessary access checks to these endpoints. [1, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized, unauthenticated users to remotely access sensitive information about the default admin user's feeds and tags, including feed names, tag names, and unread article counts. This exposure can compromise privacy and potentially reveal user subscription details. The attack requires no privileges or user interaction and has low complexity, making it easier for attackers to exploit. However, it does not allow modification or deletion of data, only information disclosure. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the vulnerable endpoints that expose feed and tag information without authentication. Specifically, you can try accessing the following URLs on your FreshRSS instance to see if sensitive information is returned without requiring login: - /i/?c=tag&a=update&id=[incrementing tag ID] - /i/?c=javascript&a=actualize - /i/?c=javascript&a=nbUnreadsPerFeed For example, using curl commands: 1. curl -v http://your-freshrss-instance/i/?c=tag&a=update&id=1 2. curl -v http://your-freshrss-instance/i/?c=javascript&a=actualize 3. curl -v http://your-freshrss-instance/i/?c=javascript&a=nbUnreadsPerFeed If these commands return feed or tag information without authentication, your system is vulnerable. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation steps are: 1. Upgrade FreshRSS to version 1.27.0 or later, where the vulnerability is fixed by adding the necessary access checks. 2. As a workaround before upgrading, create a separate admin user and set it as the default user in data/config.php to protect the privacy of the primary administrator account. 3. Restrict access to the FreshRSS instance to trusted networks or users until the update is applied. Upgrading is strongly recommended to benefit from the full security improvements and fixes. [1, 3]